Compare commits
No commits in common. "master" and "v-0.0.1" have entirely different histories.
|
@ -11,7 +11,6 @@ class wmdeit_ldap (
|
|||
$database,
|
||||
$rootdn,
|
||||
$rootpw,
|
||||
$starttls = "no",
|
||||
|
||||
$serverid,
|
||||
$simple_bind_tls = "128",
|
||||
|
@ -26,7 +25,6 @@ class wmdeit_ldap (
|
|||
"rfc2307bis",
|
||||
"krb5-kdc",
|
||||
"samba",
|
||||
"ppolicy",
|
||||
|
||||
# "samba",
|
||||
# "nis",
|
||||
|
@ -81,39 +79,26 @@ class wmdeit_ldap (
|
|||
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
||||
'by * break'
|
||||
],
|
||||
# System rights for members of Adm group
|
||||
'2 to *' => [
|
||||
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
|
||||
'by * break'
|
||||
],
|
||||
# System rights for members of Adm group
|
||||
'3 to *' => [
|
||||
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
|
||||
'by * break'
|
||||
],
|
||||
|
||||
# let users modify their passwords, and disable read acess to all others
|
||||
'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
|
||||
# '4 to attrs=userPassword' => [
|
||||
'2 to attrs=userPassword' => [
|
||||
"by self write",
|
||||
"by anonymous auth",
|
||||
"by * none",
|
||||
],
|
||||
# let users read all
|
||||
'5 to attr=entry,objectClass,givenName,cn,displayName' => [
|
||||
'3 to attr=entry,objectClass,givenName,cn,displayName' => [
|
||||
"by anonymous break",
|
||||
"by * read",
|
||||
],
|
||||
# let anonymous users list uids
|
||||
"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
||||
"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
||||
"by anonymous read",
|
||||
"by * break",
|
||||
],
|
||||
# deny access to anything else
|
||||
'7 to *' => [
|
||||
'5 to *' => [
|
||||
"by * none",
|
||||
]
|
||||
|
||||
|
||||
},
|
||||
|
||||
){
|
||||
|
@ -134,10 +119,6 @@ class wmdeit_ldap (
|
|||
openldap::server::module { 'syncprov':
|
||||
ensure => present,
|
||||
}
|
||||
# openldap::server::module { 'ppolicy':
|
||||
# ensure => absent,
|
||||
# }
|
||||
|
||||
|
||||
|
||||
package { "heimdal-kdc":
|
||||
|
@ -150,6 +131,7 @@ class wmdeit_ldap (
|
|||
ensure => present,
|
||||
}
|
||||
|
||||
|
||||
class { 'openldap::server':
|
||||
ssl_ca => "$cacert",
|
||||
ssl_cert => "$pubcert",
|
||||
|
@ -159,7 +141,7 @@ class wmdeit_ldap (
|
|||
|
||||
# delete all schema and databases created by default during installation
|
||||
# This is some kind of a dirty hack because we use
|
||||
# in "before =>" and "require =>" some internal classes of module openldap
|
||||
# in before => and irequire => some internal classes of module openldap
|
||||
exec { 'wmdemanaged':
|
||||
before => Class['::openldap::server::config'],
|
||||
require => Class['::openldap::server::install'],
|
||||
|
@ -212,6 +194,7 @@ class wmdeit_ldap (
|
|||
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
||||
# }
|
||||
|
||||
|
||||
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
||||
# ensure => present,
|
||||
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
||||
|
@ -276,23 +259,14 @@ class wmdeit_ldap (
|
|||
|
||||
|
||||
# Build list of syncrepl-entries, store it in $syncrepl
|
||||
if !empty ($syncrepl_providers) {
|
||||
$mirrormode=true
|
||||
$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
|
||||
$i = $index+1
|
||||
"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
|
||||
}
|
||||
$syncrepl_providers.each |Integer $index, $provider| {
|
||||
if $provider[ip] {
|
||||
host{"host_$index":
|
||||
name => $provider[host],
|
||||
ip => $provider[ip],
|
||||
ensure => present,
|
||||
}
|
||||
}
|
||||
}
|
||||
# if !empty ($syncrepl_providers) {
|
||||
# $mirrormode=true
|
||||
# $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
||||
# $i = $index+1
|
||||
# "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
||||
# }
|
||||
# }
|
||||
|
||||
}
|
||||
|
||||
# create the main database
|
||||
openldap::server::database { "$database":
|
||||
|
@ -300,29 +274,21 @@ class wmdeit_ldap (
|
|||
ensure => present,
|
||||
rootdn => $rootdn,
|
||||
rootpw => $rootpw,
|
||||
syncrepl => $syncrepl,
|
||||
# syncrepl => $syncrepl,
|
||||
mirrormode => $mirrormode,
|
||||
}
|
||||
->
|
||||
openldap::server::overlay { "memberof on $database":
|
||||
ensure => present,
|
||||
options => {
|
||||
'olcMemberOfGroupOC' => 'groupOfMembers'
|
||||
}
|
||||
}
|
||||
->
|
||||
openldap::server::overlay { "syncprov on $database":
|
||||
ensure => present,
|
||||
}
|
||||
->
|
||||
# openldap::server::overlay { "smbk5pwd on $database":
|
||||
# ->
|
||||
# openldap::server::overlay { "syncprov on $database":
|
||||
# ensure => present,
|
||||
# }
|
||||
|
||||
# openldap::server::overlay { "ppolicy on $database":
|
||||
# ensure => absent,
|
||||
# }
|
||||
|
||||
->
|
||||
openldap::server::overlay { "smbk5pwd on $database":
|
||||
ensure => present,
|
||||
}
|
||||
|
||||
# $acls.each |Integer $i, $acl | {
|
||||
# notify{"Set ACL $i $acl":}
|
||||
|
|
Loading…
Reference in New Issue